Skip to content

[DOCS-10352] Update OP Microsoft Sentinel shortcodes #28790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Apr 28, 2025
Merged

[DOCS-10352] Update OP Microsoft Sentinel shortcodes #28790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
0832a06
update microsoft sentinel shortcodes
maycmlee Apr 15, 2025
ee3726a
add additional info
maycmlee Apr 15, 2025
9664d8b
Update layouts/shortcodes/observability_pipelines/configure_existing_…
maycmlee Apr 15, 2025
6a86af0
add table
maycmlee Apr 16, 2025
1f1f6a1
updates
maycmlee Apr 16, 2025
cf94931
move table
maycmlee Apr 16, 2025
6857f28
move table, add alt table format, and update overview
maycmlee Apr 17, 2025
3329268
update env vars
maycmlee Apr 17, 2025
481cbbd
small update
maycmlee Apr 17, 2025
450dd1e
Merge branch 'master' into may/update-op-msentinel
maycmlee Apr 28, 2025
fffd44a
remove extra table
maycmlee Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion content/en/observability_pipelines/destinations/microsoft_sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Use Observability Pipelines' Microsoft Sentinel destination to send logs to Micr

## Setup

Set up the Microsoft Sentinel destination and its environment variables when you [set up a pipeline][1]. The information below is configured in the pipelines UI.
Set up the Microsoft Sentinel destination and its environment variables when you [set up a pipeline][1]. The information below is configured in the pipelines UI, except for [Prerequisites](#prerequisites) which provides instructions on how to find the information you need in Microsoft Azure.

### Set up the destination

Expand Down
6 changes: 4 additions & 2 deletions ...pelines/configure_existing_pipelines/destination_env_vars/microsoft_sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
- Data collection endpoint (DCE)
- Stored as the environment variable: `DD_OP_DESTINATION_MICROSOFT_SENTINEL_DCE_URI`
- The DCE endpoint URL is shown as the **Logs Ingestion Endpoint** or **Data Collection Endpoint** on the DCR Overview page. An example URL: `https://<DCE-ID>.ingest.monitor.azure.com/dataCollectionRules/<DCR-Immutable-ID>/streams/<Stream-Name>?api-version=2023-01-01`.
- Stored as the environment variable `DD_OP_DESTINATION_MICROSOFT_SENTINEL_DCE_URI`
- Client secret
- Stored as the environment variable: `DD_OP_DESTINATION_MICROSOFT_SENTINEL_CLIENT_SECRET`
- This is the Azure AD application's client secret, such as `550e8400-e29b-41d4-a716-446655440000`.
- Stored as the environment variable `DD_OP_DESTINATION_MICROSOFT_SENTINEL_CLIENT_SECRET`
42 changes: 38 additions & 4 deletions ...s/shortcodes/observability_pipelines/destination_settings/microsoft_sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,38 @@
1. Enter the client ID for your application.
1. Enter the directory ID for your tenant.
1. Enter the name of the table to which you are sending the logs.
1. Enter the Data Collection Rule (DCR) immutable ID.
#### Prerequisites

To set up the Microsoft Sentinel destination, you need the following information:

| Name | Description |
|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Application (client) ID | The Azure Active Directory (AD) application's client ID. See [Register an application in Microsoft Entra ID][10161] for information on creating a new application.<br>**Example**: `550e8400-e29b-41d4-a716-446655440000` |
| Directory (tenant) ID | The Azure AD tenant ID. See [Register an application in Microsoft Entra ID][10161] for information on creating a new application.<br>**Example**: `72f988bf-86f1-41af-91ab-2d7cd011db47` |
| Table (Stream) Name | The name of the stream which matches the table chosen when configuring the Data Collection Rule (DCR).<br>**Example**: `Custom-MyLogs_CL` |
| Data Collection Rule (DCR) immutable ID | This is the immutable ID of the DCR where logging routes are defined. It is the **Immutable ID** shown on the DCR Overview page.<br>**Note**: Ensure the Monitoring Metrics Publisher role is assigned in the DCR IAM settings.<br>**Example**: `dcr-000a00a000a00000a000000aa000a0aa`<br>See [Data collection rules (DCRs) in Azure Monitor][10162] to learn more about creating or viewing DCRs. |

Do the following to get that information:

1. Create or identify a Data Collection Rule (DCR).
1. In the Azure Portal, navigate to **Azure Monitor** → **Data Collection Rules**.
1. Create a DCR or use an existing one for custom logs. See [Data collection rules (DCRs) in Azure Monitor][10162] to learn more about creating or viewing DCRs.
1. Take note of the DCR Immutable ID and, if you are using private links, the DCR's Data Collection Endpoint (DCE). You need this information when you set up the Microsoft Sentinel destination.
1. Define a custom table (for example, `Custom-MyLogs_CL`) in the DCR, which is where Observability Pipelines sends logs to.
1. Get the ingestion URL.
1. In the DCR, locate the **Logs Ingestion API endpoint**. The endpoint has the format: `https://<DCE-ID>.ingest.monitor.azure.com/dataCollectionRules/<DCR-Immutable-ID>/streams/<Stream-Name>?api-version=2023-01-01`, where the `<Stream-Name>` typically matches your custom table (for example, `Custom-MyLogs_CL`).
1. The ingestion URL is needed when you set up you Microsoft Sentinel destination's environment variable.
1. To authenticate the Observability Pipelines Worker with Microsoft Sentinel:
1. In the Azure Portal, navigate to **Azure AD** > **App Registrations** and register an Azure Active Directory (AD) application. See [Register an application in Microsoft Entra ID][10161] for information on creating a new application.
1. Generate a **Client Secret**.
1. Assign it the **Monitoring Metrics Publisher** role on the Log Analytics workspace
1. Take note of the **Tenant ID**, **Client ID**, and **Client Secret**. You need this information when you set up the Microsoft Sentinel destination.

#### Set up destination in Observability Pipelines

To set up the Microsoft Sentinel destination in Observability Pipelines:

1. Enter the client ID for your application, such as `550e8400-e29b-41d4-a716-446655440000`.
1. Enter the directory ID for your tenant, such as `72f988bf-86f1-41af-91ab-2d7cd011db47`. This is the Azure AD tenant ID.
1. Enter the name of the table, such as `Custom-MyLogs`, to which you are sending logs.
1. Enter the Data Collection Rule (DCR) immutable ID, such as `dcr-000a00a000a00000a000000aa000a0aa`.

[10161]: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api
[10162]: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview
Loading